 
  

 






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<html>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do;jsessionid=4FCCB481C702D708A7360133D128E359?Id=216 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:27:59 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
<head>
 <title>
  Java Practices -> Passwords never in clear text
 </title>
 <link rel="stylesheet" type="text/css" href="../stylesheet8.css" media="all">
 
 <link rel="shortcut icon" href='../images/favicon.ico' type="image/vnd.microsoft.icon">
 <meta name="description" content="Concise presentations of java programming practices, tasks, and conventions, amply illustrated with syntax highlighted code examples.">
 
 <meta name='keywords' content='java,java programming,java practices,java idiom,java style,java design patterns,java coding conventions,'>
 
 
</head>
 
<body>


<div class='menu-bar'>
 
  <a href='../home/HomeAction.html' title='Table of Contents'>Home</a> |
  <a href='../vote/VoteSummaryAction-2.html' title='View Poll Results'>Poll</a> |
   
  <A href='../feedback/FeedbackAction451f-2.html?Operation=Show' title='Send Your Feedback'>Wiki</a> |
  <b><a href='../source/SourceAction-2.html' title='Grab Source Code'>Source Code</a></b><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |

  <a href='http://www.web4j.com/Java_Web_Application_Framework_Overview.jsp?From=1' title='Free Download - Java Web Application Framework'><b>WEB4J</b></a> |
  
  <a href='http://www.date4j.net/' title='Replacement for java.util.Date'><b>DATE4J</b></a> |

   <a href='../references/ReferencesAction-2.html' title='References'>Links</a>
   
  <form action='http://www.javapractices.com/search/SearchAction.do' method='get' class='search-form'>
   <input type='text' name='SearchTerms' value="" size=12 maxlength=50 class='search'>
   <input type='submit' value="Search">
  </form>
 
</div>

<P>



  

 






<p class="display-messages">

 

 

</p>


<div class="main-layout">
 
   

 




<div class='page-title'>Passwords never in clear text</div>

<div class='main-body'>
 <br>
Applications should not refer to the clear text versions of passwords - not in the database, 
not when logging, nor in any other area. 
The clear text version of the password should be the end user's secret.
It should never be directly repeated or stored by an application.

<P><b>Clear Text Versus Hash</b><br>
A user inputs a password in its original, unaltered form - that is, in "clear text".
However, a database should never store passwords in clear text. 
Instead, the value stored by the database should be calculated as <PRE>
stored-value = hash(clear-text-password + salt-value)</PRE>

The intent here is to store text which cannot be easily reverse-engineered back into the original password. 
The <tt>salt-value</tt> is a random string added to the password.
It's added to prevent simple dictionary-style reverse engineering of the hashed value of the plain text password.
<P>(Regarding Tomcat5: its implementation of form-based login doesn't allow for the salt value.)

<P><b>Hash Functions</b><br>
SHA-1, SHA-256, SHA-384, and SHA-512 are all examples of hash functions. A hash function is also called a 
<a href='http://java.sun.com/javase/6/docs/api/java/security/MessageDigest.html'><tt>MessageDigest</tt></a>.
(The MD5 hash has been shown to be defective, and should usually be avoided.) 

<P><i>A <a href='http://en.wikipedia.org/wiki/Cryptographic_hash_function'>hash function</a> 
is not an encryption</i>. Encrypted items are always meant for eventual <em>decryption</em>. 
A hash function, on the other hand, is meant only as a <em>one-way operation</em>. The whole 
idea of a hash function is that it should be very difficult to calculate the original 
input value, given the hash value.

<p>If <tt>y = hash(x)</tt> is a hash function, and <tt>y</tt> and <tt>x</tt> both represent text strings, then 
<ul>
<li>given the output <tt>y</tt>, it is very hard to deduce the original input <tt>x</tt>
<li>similar inputs will give markedly different outputs
<li>input <tt>x</tt> can have <em>arbitrary</em> length
<li>output <tt>y</tt> will have <em>fixed</em> length
<li>there is only a trivial chance of "collisions", where different inputs give the same output
</ul>

<P>The above properties allow for passwords (or pass phrases) of arbitrary length, while still
letting the underlying database column which stores the hash value to be of fixed width.

<P><b>Example</b>
<P>This example uses <a href='http://java.sun.com/javase/6/docs/api/java/security/MessageDigest.html'><tt>MessageDigest</tt></a> 
and the SHA-1 hash function :
<br>
<PRE>

<span class='keyword'>import</span> java.security.MessageDigest;
<span class='keyword'>import</span> java.security.NoSuchAlgorithmException;

<span class='comment'>/** Example hash function values.*/</span>
<span class='keyword'>public</span> <span class='keyword'>final</span> <span class='keyword'>class</span> HashExamples {
  
  <span class='keyword'>public</span> <span class='keyword'>static</span> <span class='keyword'>void</span> main(String... aArgs) {
    <span class='keyword'>try</span> {
      MessageDigest sha = MessageDigest.getInstance(<span class='literal'>"SHA-1"</span>);
      <span class='keyword'>byte</span>[] hashOne = sha.digest(<span class='literal'>"color"</span>.getBytes());
      log(<span class='literal'>"Hash of 'color':  "</span> + hexEncode(hashOne));
      sha.reset();
      <span class='keyword'>byte</span>[]  hashTwo = sha.digest(<span class='literal'>"colour"</span>.getBytes());
      log(<span class='literal'>"Hash of 'colour': "</span> + hexEncode(hashTwo));
    }
    <span class='keyword'>catch</span> (NoSuchAlgorithmException ex){
      log(<span class='literal'>"No such algorithm found in JRE."</span>);
    }
  }
  
  <span class='keyword'>private</span> <span class='keyword'>static</span> <span class='keyword'>void</span> log(Object aObject) {
    System.out.println(String.valueOf(aObject));
  }

  <span class='comment'>/**
  * The byte[] returned by MessageDigest does not have a nice
  * textual representation, so some form of encoding is usually performed.
  *
  * This implementation follows the example of David Flanagan's book
  * "Java In A Nutshell", and converts a byte array into a String
  * of hex characters.
  */</span>
  <span class='keyword'>static</span> <span class='keyword'>private</span> String hexEncode( <span class='keyword'>byte</span>[] aInput){
    StringBuffer result = <span class='keyword'>new</span> StringBuffer();
    <span class='keyword'>char</span>[] digits = {<span class='literal'>'0'</span>, <span class='literal'>'1'</span>, <span class='literal'>'2'</span>, <span class='literal'>'3'</span>, <span class='literal'>'4'</span>,<span class='literal'>'5'</span>,<span class='literal'>'6'</span>,<span class='literal'>'7'</span>,<span class='literal'>'8'</span>,<span class='literal'>'9'</span>,<span class='literal'>'a'</span>,<span class='literal'>'b'</span>,<span class='literal'>'c'</span>,<span class='literal'>'d'</span>,<span class='literal'>'e'</span>,<span class='literal'>'f'</span>};
    <span class='keyword'>for</span> (<span class='keyword'>int</span> idx = <span class='literal'>0</span>; idx &lt; aInput.length; ++idx) {
      <span class='keyword'>byte</span> b = aInput[idx];
      result.append( digits[ (b&amp;<span class='literal'>0xf0</span>) &gt;&gt; <span class='literal'>4</span> ] );
      result.append( digits[ b&amp;<span class='literal'>0x0f</span>] );
    }
    <span class='keyword'>return</span> result.toString();
  }  
}
 
</PRE>
<br>
Example run :
<PRE>
Hash of 'color':  6dd0fe8001145bec4a12d0e22da711c4970d000b
Hash of 'colour': 79d41a47e8fec55856a6a6c5ba53c2462be4852e
</PRE>
<br>
<br>

</div>





<div class='topic-section'>Would you use this technique?</div>
<div class='main-body'>
  
  <form action="http://www.javapractices.com/vote/AddVoteAction.do" method='post'>
    Yes<input type='radio' name='Choice' value='Y' >
    &nbsp;&nbsp;No<input type='radio' name='Choice' value='N'>
    &nbsp;&nbsp;Undecided<input type='radio' name='Choice' value="?" >
    &nbsp;&nbsp;<input type=submit value="Vote" >
    <input type='hidden' name='Operation' value='Apply'>
    <input type='hidden' name='TopicId' value='216'>
  </form>
</div>

<div style='height:10.0em;'></div>

 
 
</div>

  

 





<div align='center' class='legalese'>  
&copy; 2011 Hirondelle Systems |
<a href='../source/SourceAction-2.html'><b>Source Code</b></a><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |
<a href="mailto:webmaster@javapractices.com">Contact</a> |
<a href="http://creativecommons.org/licenses/by-nc-sa/1.0/">License</a> |
<a href='../apps/cjp.rss'>RSS</a>
<!-- ukey="2AC36CD2" -->
<!-- ckey="16DF3D87" -->
<br>

 Individual code snippets can be used under this <a href='../LICENSE.txt'>BSD license</a> - Last updated on June 6, 2010.<br>
 Over 150,000 unique IPs last month - <span title='Java Practices 2.6.5, Mon May 16 00:00:00 EDT 2011'>Built with</span> <a href='http://www.web4j.com/'>WEB4J</a>.<br>
 - In Memoriam : Bill Dirani -
</div>

<script src="../../www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-2633428-1";
urchinTracker();
</script>



</body>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do;jsessionid=4FCCB481C702D708A7360133D128E359?Id=216 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:27:59 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
</html>
